b'April 10, 2009\n\nSUSAN C. PLONKEY\nVICE PRESIDENT, SALES\n\nSUBJECT: Final Audit Report \xe2\x80\x93 Automated Flats Sorting Machine 100 Images: Security\n         of Sensitive Customer Data (Report Number DA-AR-09-008)\n\nWe initiated this U.S. Postal Service Office of Inspector General (OIG) audit (Project\nNumber 09YG018PM000) based on an investigative referral that alleged the Automated\nFlats Sorting Machine (AFSM) 100 cameras were lifting images from Internal Revenue\nService (IRS) mailings and displaying social security numbers (SSNs). This condition\nwould increase the risk to U.S. Postal Service information security. Our objective was\nto determine whether the AFSM 100 cameras are revealing taxpayers\xe2\x80\x99 SSNs during the\nimage lifting process. See Appendix A for additional information about this audit.\n\nConclusion\n\nThe OIG evaluated random samples of mailpiece images the AFSM 100 cameras\ncaptured. None of these images showed information beyond the envelopes and cover\npage. Since these random images were not IRS-specific, it confirmed to us that the\nconcern was specific to the IRS. To test this theory, we simulated mail preparation and\nprocessed pseudo mailings the IRS provided. In all cases when contents shifted in\nenvelope windows, SSNs located on the secondary page were visible and were\ncaptured by the AFSM 100 cameras.\n\nThe IRS has the obligation to ensure SSNs cannot be seen in mailings. The Postal\nService\'s obligation is to ensure that SSNs inadvertently recorded by automated\nprocessing equipment remain confidential. Based on the safeguards the Postal Service\nhas in place to protect electronic records, we concluded the Postal Service has fulfilled\nits Privacy Act obligation. See Appendix B for our detailed analysis of this issue.\n\x0cAutomated Flats Sorting Machines 100:                                       DA-AR-09-008\n Security of Sensitive Customer Data\n\n\nManagement Corrective Action\n\nThe OIG, in coordination with the Postal Service\xe2\x80\x99s Business Service Network (BSN),\ndiscussed the finding with IRS Media and Publications representatives on March 20,\n2009. In response to our discussion draft report, BSN managers began working with\nthe IRS on March 30, 2009, to correct the exposure of SSNs in its mailings. Thus, this\nreport contains no recommendations.\n\nWe appreciate the cooperation and courtesies provided by your staff. If you have any\nquestions or need additional information, please contact Miguel Castillo, Director,\nEngineering, or me at (703) 248-2100.\n\n\n    E-Signed by Darrell E. Benjamin, Jr\n    VERIFY authenticity with ApproveIt\n\nDarrell E. Benjamin Jr.\nDeputy Assistant Inspector General\n for Support Operations\n\nAttachments\n\ncc: Walter O\xe2\x80\x99Tormey\n    Tammy L. Edwards\n    Angelic Burns\n    Katherine S. Banks\n\n\n\n\n                                           2\n\x0cAutomated Flats Sorting Machines 100:                                                             DA-AR-09-008\n Security of Sensitive Customer Data\n\n\n                          APPENDIX A: ADDITIONAL INFORMATION\n\nBACKGROUND\n\nThe Postal Service processes flat mail1 in two stages: mail preparation and automation\nprocessing. During mail preparation flat mailpieces are culled and stacked in a\ncontainer to facilitate automation processing. Subsequently, automated feeders agitate\nflat mail the AFSM 100 is processing. When a mailpiece address is unreadable, an\nAFSM 100 built-in camera takes an image of the mailpiece and sends it to a remote\nencoding center, where a person reads it, types the correct address, and sends it back\nto the processing plant.\n\nWhile the SSN was first introduced as a device for tracking contributions to the Social\nSecurity system, government entities and the private sector have expanded its use to\ntrack many other records. As early as the 1970s, concerns regarding increased use of\nSSNs by both government and private entities prompted studies and subsequent\ncongressional action limiting government use of SSNs. When Congress passed the\nPrivacy Act of 1974, it took the first statutory step toward establishing a federal policy\nlimiting compulsory divulgence of SSNs. In its report accompanying the Privacy Act, the\nSenate Committee on Government Operations stated that the extensive use of the SSN\nas a universal identifier was \xe2\x80\x9cone of the most serious manifestations of privacy concerns\nin the nation.\xe2\x80\x9d More recent enactments by Congress have provided for increased\nconfidentiality of SSNs in public records.\n\nOBJECTIVE, SCOPE, AND METHODOLOGY\n\nOur audit objective was to determine whether the AFSM 100 cameras are revealing\ntaxpayers\xe2\x80\x99 SSNs during the image lifting process. If true, the Postal Service is at risk of\nnot complying with laws designed to protect SSNs. Illustration 1 displays the image\nOIG Special Agents referred to the Office of Audit.\n\n\n\n\n1\n Flats are mailpieces that exceed one of the maximum dimensions of letter-size mail. Large envelopes, newspapers,\ncatalogs, circulars, and magazines are examples of flats.\n\n\n\n\n                                                       3\n\x0cAutomated Flats Sorting Machines 100:                                                 DA-AR-09-008\n Security of Sensitive Customer Data\n\nIllustration 1 \xe2\x80\x93 Image Referred\n\n             Mailpiece Referred\n                                          IRS mailing that generated the audit referral.\n                                          It should be noted the exposure is limited to\n                   SSN                    the envelope window. Taxpayer information\n                 Exposure                 has been sanitized in this image.\n\n\n\n\nTo accomplish our objective, we conducted interviews with Postal Service management\nand IRS officials. We worked with management to collect and review random images\nfrom AFSM 100 machines, in order to determine whether the AFSM 100 camera was\nreading information beyond the cover page. Additionally, we collected IRS mailing\nsamples for testing on AFSM 100 machines in a production environment at two\nseparate processing facilities. The purpose of this test was to determine whether the\nallegation was, in fact, was mailer-specific and confined to the envelope window area.\n\nWe conducted this performance audit from February through April 2009 in accordance\nwith generally accepted government auditing standards and included such tests of\ninternal controls as we considered necessary under the circumstances. Those\nstandards require that we plan and perform the audit to obtain sufficient, appropriate\nevidence to provide a reasonable basis for our findings and conclusions based on our\naudit objective. We believe the evidence obtained provides a reasonable basis for our\nfindings and conclusions based on our audit objective. We discussed our observations\nand conclusions with the Postal Service BSN manager and IRS Media and Publications\nrepresentatives on March 20, 2009, and included their comments where appropriate.\n\nPRIOR AUDIT COVERAGE\n\nWe did not identify any prior OIG audits or reviews related to the objective of this audit.\n\n\n\n\n                                             4\n\x0cAutomated Flats Sorting Machines 100:                                                                     DA-AR-09-008\n Security of Sensitive Customer Data\n\n\n                                 APPENDIX B: DETAILED ANALYSIS\n\nSSN Exposure\n\nOur observation and review of 100 images taken at random from AFSM 100 machines\nlocated at the Merrifield Processing and Distribution Center (P&DC) did not indicate that\nmachine cameras were capturing information beyond the face of flat envelopes.\nBecause the random images we reviewed were not mailings the IRS presented, we\nconcluded that the AFSM 100 camera was not capturing sensitive information on a wide\nscale, and that the imaged mailpiece in question, displayed in Illustration 1, was a\nmailer-specific condition.\n\nTherefore, in conjunction with Postal Service Engineering, we requested and tested\npseudo mailpieces from the IRS2 to validate whether the AFSM 100 machine could read\ntheir mailings beyond the cover page. SSNs were exposed on all five sampled\nmailpieces processed at the Merrifield P&DC and on three of the five mailpieces\nprocessed at the Southern Maryland P&DC. SSNs were transparent in the envelope\nwindow area only.\n\nIllustration 2 shows the before and after effect of our test of IRS mailpieces. The results\ncorroborated that IRS mailpieces of similar design displayed sensitive information from\nthe cover page after the contents had shifted during mail processing, and therefore the\nSSN exposure was due to the mailpiece design.\n\n\n\n\n2\n All IRS-tested mailpieces contained the same print quality, density, print location, and contrast ratio as the referred\nmailpiece.\n\n\n\n\n                                                            5\n\x0cAutomated Flats Sorting Machines 100:                                                    DA-AR-09-008\n Security of Sensitive Customer Data\n\n\n\nIllustration 2 \xe2\x80\x93 Before and After Images of Processed IRS Mailpieces\n\n    IRS Mailpiece Before Handling and                     IRS Mailpiece After Processing\n               Processing\n\n\n\n\n                                                                        SSN\n                                                                      Exposure\n\n\n\n\nThe image above represents a sample IRS        The image above shows the content in the window area\nmailing. It shows the content of the window    after simulated handling and processing on the AFSM\narea prior to handling and processing on the   100. Note that the pseudo SSN is now visible in the\nAFSM 100. Note that the barcode is visible     window area of the envelope. It should be noted that in\nand the pseudo SSN is not visible in the       some cases the SSN was also visible to the naked eye\nwindow area of the envelope.                   before processing on the AFSM 100.\n\n\n\n\n                                                  6\n\x0cAutomated Flats Sorting Machines 100:                                                                 DA-AR-09-008\n Security of Sensitive Customer Data\n\n\n\nPostal Service Obligation for Mailpiece Information Security\n\nFederal and state governments have taken steps to limit compulsory divulgence of\nSSNs. Congress passed the Privacy Act of 1974 and on November 6, 2000, the\nPresident signed into law the \xe2\x80\x9cSocial Security Number Confidentiality Act of 2000\xe2\x80\x9d\n(Confidentiality Act of 2000), codified at 31 U.S.C. \xc2\xa7 3327(b). In addition, a number of\nstates have enacted statutes that restrict the use or display of SSNs in various contexts.\nFor example, the state of Michigan enacted the Social Security Number Privacy Act, Act\n454, of 2004. This act prohibited the public display of all or more than four sequential\ndigits of the SSN.\n\nWe reviewed the Privacy Act of 1974 and the Confidentiality Act of 2000 and other\nrelated laws to determine the obligation of the Postal Service to maintain the\nconfidentiality of SSNs for mailings. We concluded that the obligation to ensure SSN\nconfidentiality ultimately rests with the agency that places the item into the mail stream.\nHowever, the Postal Service has an obligation to ensure that any personally identifiable\ninformation, including SSNs, that is inadvertently recorded by automated processing\nequipment remains confidential.\n\nThe database housing images would be considered a "system of records" for the\npurposes of the Privacy Act. We found the process used by the Postal Service to store\nthese images to be in compliance with Postal Service policy.3 Therefore, the Postal\nService has fulfilled its Privacy Act obligation to safeguard any inadvertent collection of\npersonally identifiable information like SSNs.\n\n\n\n\n3\n  Handbook AS-353, Guide to Privacy, the Freedom of Information Act, and Records Management, September 2005.\nSection 800 of the Appendix states that confidential records, such as SSNs, are to be stored in areas where access is\nlimited to authorized personnel.\n\n\n\n\n                                                         7\n\x0c'